Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A computer-implemented method of operating a non-transitory virtual machine manager computer program comprising a hypervisor and a plurality of virtual machines to protect against the unauthorized use of system resources in a distributed computer system spread across multiple network nodes, comprising the following steps: (a) establishing a communication interface over a network with a first computing device located at a first network node after power-on of said first computing device, said first computing device comprising at least one of memory, storage, input/output functions and network capabilities; (b) providing a first virtual machine to run on said first computing device, said first virtual machine corresponding to a first operating system; (c) in the event step (e) results in authentication, launching said first operating system corresponding to said first virtual machine for use on said first computing device; (d) before step (c), communicating with a second computing device located at a second network node, wherein a request of said first computing device for said first virtual machine triggers an automated authentication request prior to launching said first operating system corresponding to said first virtual machine, said request comprising information relating to an attribute or characteristic of said first computing device; (e) after step (d), receiving a response token generated by said second computing device in response to said authentication request, wherein said first operating system is launched or not launched on said first computing device depending at least in part upon the content of said response token; (f) before, after, or concurrently with step (a), implementing a virtual machine-related policy governing an attribute or characteristic of said first virtual machine; and (g) before, after, or concurrently with step (a), communicating with a control console, wherein said control console monitors and presents data relating to said distributed computer system, including data relating to at least one of said plurality of virtual machines, (h) after step (c), permitting said first computing device to access data from a storage computing device located at a third network node after said response token is generated and said first operating system is launched.
2. The method of claim 1 , wherein said first computing device boots a host operating system prior to the launch of said first virtual machine and said first operating system.
3. The method of claim 1 , wherein said virtual machine is launched during the boot of said first computing device to run on said computing device without an underlying host operating system.
4. The method of claim 2 , wherein at least one attribute of said first virtual machine includes a limitation on memory, storage, or input/output functions according to said policy.
5. The method of claim 4 , wherein said control console is located at a fourth network node.
6. The method of claim 5 , wherein said second computing device is a server.
7. A computer-implemented method of creating a distributed computer system spread across multiple network nodes including an authentication server and an authentication routine to protect against the unauthorized access of system resources, comprising the following steps: (a) establishing an interface facilitating communication over a network to a plurality of remote computing devices, each of said plurality of remote computing devices comprising at least one of memory, storage, input/output functions, and network capabilities; (b) establishing a virtual machine manager by executing a computer program comprising a hypervisor code segment and a communication interface code segment across multiple network nodes, wherein said virtual machine manager is configured to receive a request from a first of said plurality of remote computing devices located at a first network node for a virtual machine, said virtual machine corresponding to an operating system; (c) after steps (a) and (b), communicating via said virtual machine manager a request to authenticate to an authentication server located at a second network node prior to providing said virtual machine and launching said operating system; (d) based at least in part upon an action undertaken by said authentication server in response to said request to authenticate in step (c), said virtual machine manager either providing to said first of said plurality of remote computing devices said virtual machine and enabling launch of said operating system, or declining to provide to said first of said plurality of remote computing devices at least one of said virtual machine or said operating system, (e) said virtual machine manager communicating with a network administration computing device before, after, or concurrently with step (d), wherein said network administration computing device monitors and presents data relating to an attribute or characteristic of said virtual machine or said operating system, and (f) before, after, or concurrently with step (e), implementing a virtual machine-related policy governing an attribute or characteristic of said virtual machine.
8. The method of claim 7 , wherein said virtual machine manager implements the authorization of one or more specific services associated with said virtual machine.
9. The method of claim 8 , further comprising the step of providing a credential to said authentication server as part of said request to authenticate, whereupon said authentication server responds at least in part by supplying a token, said token comprising an authorized scope of specific services or data associated with said virtual machine.
10. The method of claim 9 , wherein said network administration computing device is located at a third network node.
11. The method of claim 10 , wherein at least one of said virtual machine manager and said network administration computing device implements authorization of at least one service which an identified user is entitled to perform via said virtual machine.
12. A computer-implemented method of distributing components across multiple network nodes of a computer system using an authentication routine to enable selective access to authorized system resources, comprising the following steps: (a) using a first computer program code segment to create an interface configured to communicate over a network comprising a plurality of computing devices at multiple locations, each location comprising at least one network node; (b) using a second computer program code segment to create an interface configured to create a logical connection between a first of said plurality of computing devices located at a first network node and a storage controller enabling access to data from a data storage repository, wherein said storage controller is located at a second network node; (c) after step (a), using a third computer program code segment to run an operating system corresponding to a first virtual machine on said first of said plurality of computing devices, said third computer program code segment comprising at least a hypervisor relating to said first virtual machine and implemented in whole or in part on one or more of said plurality of computing devices; (d) after step (a) and before step (c), using a fourth computer program code segment at an authentication server located at a third network node to authenticate by generating an authorization token in response to a proper request for authentication, the content of said authorization token providing an indicia of authorization to employ said operating system on said first of said plurality of computing devices; (e) before, after, or concurrently with step (d), using a fifth computer program code segment at a control console to control at least one of said plurality of computing devices remotely; wherein said first virtual machine is launched between the start time of the said first of said plurality of computing devices and the first use of said operating system for said first of said plurality of computing devices by a user, based at least in part upon the content of said authorization token, and wherein after steps (a)-(d), said storage controller is accessible to at least one of said first virtual machine and said operating system via said logical connection.
13. The method of claim 12 , wherein the launch of said operating system does not occur without said authorization token.
14. The method of claim 13 , wherein said third computer program code segment does not reside in said authentication server.
15. The method of claim 14 , wherein said third computer program code segment comprises at least a hypervisor code sub-segment and a communication interface code sub-segment, each of which executes at separate network nodes.
16. The method of claim 15 , wherein said control by said control console comprises at least a direct or indirect control over said first of said plurality of computing devices via the implementation of at least one policy-related to one or more of an input/output device, memory, or storage associated with said first of said plurality of computing devices.
17. The method of claim 16 , wherein said storage controller is located at a fourth network node.
18. The method of claim 17 , wherein said control console is located at a fifth network node.
19. The method of claim 18 , said authorization token comprising indicia of an authorized scope of service or data.
20. The method of claim 19 , wherein said data from a data storage repository is encrypted.
21. The method of claim 20 , wherein said data from a data storage repository is organized into partitioned volumes.
22. The method of claim 21 , wherein said first of said plurality of computing devices is a portable, handheld electronic device.
23. The method of claim 21 , wherein said first of said plurality of computing devices is a computer.
24. The method of claim 21 , wherein said first of said plurality of computing devices is a server.
25. The method of claim 21 , wherein said first of said plurality of computing devices boots a host operating system prior to the launch of said first virtual machine and said first operating system.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
December 31, 2019
January 26, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.